1. Field of the Invention
The present invention relates to data management within a virtual execution environment (VEE), and more particularly, to dedication of one or more VEEs for serving as a network interface for remote users.
2. Background Art
Network administration services for computer systems are typically implemented by network interfaces located on the edge of a local area network (LAN). The network administration includes security services provided for all of the computer systems “behind” a firewall. Another typical implementation of network administration services is to have a network interface having security application, such as anti-virus or spam filtering, executed on each of the computer systems.
Computer systems, such as those that run server processes, typically have a set of services (sometimes called “daemons”) that are used for servicing user requests and operating system requests. These services can be dedicated to servicing requests from external anonymous users, for example, a WWW service or an anonymous FTP service. They can also be used for servicing requests from authorized users, such as FTP service and email service POP3/IMAP4 (Post Office Protocol 3/Internet Message Access Protocol (version 4)).
For management (administration) of the network services, typically a system administrator is necessary, who can enter appropriate operating system commands, and who can monitor the state of the operating system and the services. A particular example of a system administrator is an operator, who is typically allowed only a highly restricted subset of functions—for example, checking server statistics, management of print queues, etc.
The cost of a system administrator for the owner of such a system (e.g., a data center) is often a substantial part of the total cost of ownership (TCO). Easing the burden on such a system operator and enabling a substantial commonality of his activities is an important issue in software development for data center administration.
The job of an administrator, as it relates to administrative services, often includes not just direct commands to the computer system for performance of specific actions, but also involves certain “indirect” operations. Examples of such indirect operations include assurance of an appropriate level of security, verification of system state, backing up data and creation of backup databases, provision of new servers and services, load balancing, etc. Attempts to ease the burden on the operator for providing such functions take several forms.
For example, the use of Virtual Private Servers (VPSs) allows at least some commonality among the various server processes running within the computer system, and also allows commonality in their instantiation and configuration. Usually VPSs are installed with mass administration tools, for example, Virtuozzo™ VPS (available from SWsoft, Inc., www.swsoft.com) has a set of special scripts, command line and Graphical User Interface utilities for such a purpose.
The problem of administration of a large set of services and servers for many users is widely known, especially to administrators of web hosting companies and data centers. Each routine operation often requires expensive manual operations, and, when handling thousands of users even on single hardware box with a single operating system, each simple operation, which should be performed hundreds and thousands of times, becomes very expensive. Unification and simplification of mass operations therefore can result in a significant economical benefit.
Another ever-present problem is assuring a level of safety and security of the services provided to the users. For example, authentication of users and user login verification has to occur within a safe environment. Any failures and crashes of services for one user should not affect services for other users, and should not affect overall system security.
The concept of a so-called “sandbox” is one conventional solution. For example, in the UNIX environment, it is common to place the FTP services for anonymous users within a “sand box.” In that case, even if an intruder manages to gain access to that particular server and “breaks it,” then his malicious activities still occur within the sand box (a secure environment), and the intruder cannot gain access to any critical system data in this fashion.
Additionally, there may be issues with execution of non-standard operations. One type of such non-standard operations is “dangerous” operations that can result in an unpredictable state of the system. Examples include remote services reboot and remote firewall configuration operation. In the case of remote services reboot, should that process fail to reboot and reinitialize the appropriate server process properly, the only recourse available to an administrator of that particular process (for example, to a remote VPS administrator) is to request expensive manual intervention from the system administrator. In the case of remote firewall configuration, the person configuring the firewall could accidentally mis-configure it in such a manner that even the administrator or operator of such a firewall is himself blocked from any further access through the firewall. This results in a server process or a VPS, that is “empty,” i.e., running “normally,” but is in reality useless, because it is inaccessible.
Other non-standard operations include organization of services providing name-based hosting for web users, where a number of virtual web servers share the same IP address with a single logical instance of webserver. Other services include security services.
Accordingly, what is needed is a system and method for providing a more secure and more efficient mechanism for network traffic processing services in a multi-server environment.